Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Best Authentication Provider

Reply
Thread Tools

Best Authentication Provider

 
 
David Lozzi
Guest
Posts: n/a
 
      07-20-2005
Howdy,

I've written a few apps already and I have done custom authentication like
so: prompt for user name and password, verify information against SQL table,
then load returned username, ID, security, etc. into session state. This
works and frankly I'm not sure why i'm posting this except for that I want
to be 'correct' in my apps.

I notice .Net supports Authentication Modes. Which is the better one to use?
I have a basic understanding of each provider and it appears that the Forms
Authentication Provider is the preferred method? Using Forms, how do I
specify the database table in SQL to use? Also, once validated, it loads the
user information into a cookie for later retrieval. Can I load more
information into this cookie, like custom security levels, etc. Currently, I
basically have a range from 1 through 10 specifying security levels, will
this still work or does Forms process security itself?

Same questions with Windows Auth. I've used Windows Auth in some legacy ASP
apps and was able to determin security levels by a users membership to
domain groups. Does this provider work the same? How do I read the security
information?

Eh, PassPort is cool but I not necessary for me so I don't care enough to
ask.

I've been reading through MSDN articles pertaining to these but my questions
can't seem to get answered with MS Docs. Any help and clarity is greatly
appreciated!

Thanks!

David Lozzi


 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      07-20-2005
Hello David,

inline

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Howdy,
>
> I've written a few apps already and I have done custom authentication
> like so: prompt for user name and password, verify information against
> SQL table, then load returned username, ID, security, etc. into
> session state. This works and frankly I'm not sure why i'm posting
> this except for that I want to be 'correct' in my apps.
>
> I notice .Net supports Authentication Modes. Which is the better one
> to use? I have a basic understanding of each provider and it appears
> that the Forms Authentication Provider is the preferred method? Using
> Forms, how do I specify the database table in SQL to use? Also, once
> validated, it loads the user information into a cookie for later
> retrieval. Can I load more information into this cookie, like custom
> security levels, etc. Currently, I basically have a range from 1
> through 10 specifying security levels, will this still work or does
> Forms process security itself?


You do that manually - you have to provide a login page - and handle the
login button click event - then you go to a datastore and validate credentials.
The authentication cookie contains a 'UserData' field where you can store
arbitrary additional information, e.g. Roles or what you call Security Levels.
Upon each request then you create a IPrincipial implementation and attach
it to the current thread.

>
> Same questions with Windows Auth. I've used Windows Auth in some
> legacy ASP apps and was able to determin security levels by a users
> membership to domain groups. Does this provider work the same? How do
> I read the security information?


Regardless of what AuthType you use - the IPrincipal which is accessible
through Page.User or Context.User contains a IsInRole("") method to query
role membership

i have a full working example of FormsAuth on my blog - this should get you
started..feel free to ask more questions after you looked at the code.
http://www.leastprivilege.com/PermaL...0-bc8cfbec4c3a

>
> Eh, PassPort is cool but I not necessary for me so I don't care enough
> to ask.
>
> I've been reading through MSDN articles pertaining to these but my
> questions can't seem to get answered with MS Docs. Any help and
> clarity is greatly appreciated!
>
> Thanks!
>
> David Lozzi
>




 
Reply With Quote
 
 
 
 
David Lozzi
Guest
Posts: n/a
 
      07-20-2005
Thank you for your help! It helped a lot. I got my sample app here:

users are redirected to login.aspx. After entering username and password,
formsauthentication is taken care of and cookies and all that stuff. After
this is happy, it then redirects the user to default.aspx, at which point I
can pull the user's username (context.user.identity.name).

I can't seem to figure out how to pull the remaining information about the
user, security level, full name, email addy, etc. This is usually stored in
a session state but I see no session info in this. I can think of one
possible solution, and that would be to query the database everytime I
needed this information. Is this a good idea? Is this better than a session
state?

Thanks!

David Lozzi

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed).. .
> Hello David,
>
> inline
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Howdy,
>>
>> I've written a few apps already and I have done custom authentication
>> like so: prompt for user name and password, verify information against
>> SQL table, then load returned username, ID, security, etc. into
>> session state. This works and frankly I'm not sure why i'm posting
>> this except for that I want to be 'correct' in my apps.
>>
>> I notice .Net supports Authentication Modes. Which is the better one
>> to use? I have a basic understanding of each provider and it appears
>> that the Forms Authentication Provider is the preferred method? Using
>> Forms, how do I specify the database table in SQL to use? Also, once
>> validated, it loads the user information into a cookie for later
>> retrieval. Can I load more information into this cookie, like custom
>> security levels, etc. Currently, I basically have a range from 1
>> through 10 specifying security levels, will this still work or does
>> Forms process security itself?

>
> You do that manually - you have to provide a login page - and handle the
> login button click event - then you go to a datastore and validate
> credentials. The authentication cookie contains a 'UserData' field where
> you can store arbitrary additional information, e.g. Roles or what you
> call Security Levels. Upon each request then you create a IPrincipial
> implementation and attach it to the current thread.
>>
>> Same questions with Windows Auth. I've used Windows Auth in some
>> legacy ASP apps and was able to determin security levels by a users
>> membership to domain groups. Does this provider work the same? How do
>> I read the security information?

>
> Regardless of what AuthType you use - the IPrincipal which is accessible
> through Page.User or Context.User contains a IsInRole("") method to query
> role membership
>
> i have a full working example of FormsAuth on my blog - this should get
> you started..feel free to ask more questions after you looked at the code.
> http://www.leastprivilege.com/PermaL...0-bc8cfbec4c3a
>
>>
>> Eh, PassPort is cool but I not necessary for me so I don't care enough
>> to ask.
>>
>> I've been reading through MSDN articles pertaining to these but my
>> questions can't seem to get answered with MS Docs. Any help and
>> clarity is greatly appreciated!
>>
>> Thanks!
>>
>> David Lozzi
>>

>
>
>



 
Reply With Quote
 
David Lozzi
Guest
Posts: n/a
 
      07-20-2005
I said I can't seem to pull the other data, that is because I can't seem to
add it.

"David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
news:%(E-Mail Removed)...
> Thank you for your help! It helped a lot. I got my sample app here:
>
> users are redirected to login.aspx. After entering username and password,
> formsauthentication is taken care of and cookies and all that stuff. After
> this is happy, it then redirects the user to default.aspx, at which point
> I can pull the user's username (context.user.identity.name).
>
> I can't seem to figure out how to pull the remaining information about the
> user, security level, full name, email addy, etc. This is usually stored
> in a session state but I see no session info in this. I can think of one
> possible solution, and that would be to query the database everytime I
> needed this information. Is this a good idea? Is this better than a
> session state?
>
> Thanks!
>
> David Lozzi
>
> "Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
> wrote in message news:(E-Mail Removed).. .
>> Hello David,
>>
>> inline
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>>> Howdy,
>>>
>>> I've written a few apps already and I have done custom authentication
>>> like so: prompt for user name and password, verify information against
>>> SQL table, then load returned username, ID, security, etc. into
>>> session state. This works and frankly I'm not sure why i'm posting
>>> this except for that I want to be 'correct' in my apps.
>>>
>>> I notice .Net supports Authentication Modes. Which is the better one
>>> to use? I have a basic understanding of each provider and it appears
>>> that the Forms Authentication Provider is the preferred method? Using
>>> Forms, how do I specify the database table in SQL to use? Also, once
>>> validated, it loads the user information into a cookie for later
>>> retrieval. Can I load more information into this cookie, like custom
>>> security levels, etc. Currently, I basically have a range from 1
>>> through 10 specifying security levels, will this still work or does
>>> Forms process security itself?

>>
>> You do that manually - you have to provide a login page - and handle the
>> login button click event - then you go to a datastore and validate
>> credentials. The authentication cookie contains a 'UserData' field where
>> you can store arbitrary additional information, e.g. Roles or what you
>> call Security Levels. Upon each request then you create a IPrincipial
>> implementation and attach it to the current thread.
>>>
>>> Same questions with Windows Auth. I've used Windows Auth in some
>>> legacy ASP apps and was able to determin security levels by a users
>>> membership to domain groups. Does this provider work the same? How do
>>> I read the security information?

>>
>> Regardless of what AuthType you use - the IPrincipal which is accessible
>> through Page.User or Context.User contains a IsInRole("") method to query
>> role membership
>>
>> i have a full working example of FormsAuth on my blog - this should get
>> you started..feel free to ask more questions after you looked at the
>> code.
>> http://www.leastprivilege.com/PermaL...0-bc8cfbec4c3a
>>
>>>
>>> Eh, PassPort is cool but I not necessary for me so I don't care enough
>>> to ask.
>>>
>>> I've been reading through MSDN articles pertaining to these but my
>>> questions can't seem to get answered with MS Docs. Any help and
>>> clarity is greatly appreciated!
>>>
>>> Thanks!
>>>
>>> David Lozzi
>>>

>>
>>
>>

>
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      07-20-2005
Hello David,

you could stuff them in the cookie (see my SetAuthCookie method) - but keep
in mind that a cookie is limited to 4KB)

System.Web.Cache would be another option...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I said I can't seem to pull the other data, that is because I can't
> seem to add it.
>
> "David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
> news:%(E-Mail Removed)...
>
>> Thank you for your help! It helped a lot. I got my sample app here:
>>
>> users are redirected to login.aspx. After entering username and
>> password, formsauthentication is taken care of and cookies and all
>> that stuff. After this is happy, it then redirects the user to
>> default.aspx, at which point I can pull the user's username
>> (context.user.identity.name).
>>
>> I can't seem to figure out how to pull the remaining information
>> about the user, security level, full name, email addy, etc. This is
>> usually stored in a session state but I see no session info in this.
>> I can think of one possible solution, and that would be to query the
>> database everytime I needed this information. Is this a good idea? Is
>> this better than a session state?
>>
>> Thanks!
>>
>> David Lozzi
>>
>> "Dominick Baier [DevelopMentor]"
>> <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed).. .
>>
>>> Hello David,
>>>
>>> inline
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Howdy,
>>>>
>>>> I've written a few apps already and I have done custom
>>>> authentication like so: prompt for user name and password, verify
>>>> information against SQL table, then load returned username, ID,
>>>> security, etc. into session state. This works and frankly I'm not
>>>> sure why i'm posting this except for that I want to be 'correct' in
>>>> my apps.
>>>>
>>>> I notice .Net supports Authentication Modes. Which is the better
>>>> one to use? I have a basic understanding of each provider and it
>>>> appears that the Forms Authentication Provider is the preferred
>>>> method? Using Forms, how do I specify the database table in SQL to
>>>> use? Also, once validated, it loads the user information into a
>>>> cookie for later retrieval. Can I load more information into this
>>>> cookie, like custom security levels, etc. Currently, I basically
>>>> have a range from 1 through 10 specifying security levels, will
>>>> this still work or does Forms process security itself?
>>>>
>>> You do that manually - you have to provide a login page - and handle
>>> the login button click event - then you go to a datastore and
>>> validate credentials. The authentication cookie contains a
>>> 'UserData' field where you can store arbitrary additional
>>> information, e.g. Roles or what you call Security Levels. Upon each
>>> request then you create a IPrincipial implementation and attach it
>>> to the current thread.
>>>
>>>> Same questions with Windows Auth. I've used Windows Auth in some
>>>> legacy ASP apps and was able to determin security levels by a users
>>>> membership to domain groups. Does this provider work the same? How
>>>> do I read the security information?
>>>>
>>> Regardless of what AuthType you use - the IPrincipal which is
>>> accessible through Page.User or Context.User contains a IsInRole("")
>>> method to query role membership
>>>
>>> i have a full working example of FormsAuth on my blog - this should
>>> get you started..feel free to ask more questions after you looked at
>>> the code.
>>> http://www.leastprivilege.com/PermaL...1388-71d1-4a6f
>>> -98d0-bc8cfbec4c3a
>>>
>>>> Eh, PassPort is cool but I not necessary for me so I don't care
>>>> enough to ask.
>>>>
>>>> I've been reading through MSDN articles pertaining to these but my
>>>> questions can't seem to get answered with MS Docs. Any help and
>>>> clarity is greatly appreciated!
>>>>
>>>> Thanks!
>>>>
>>>> David Lozzi
>>>>




 
Reply With Quote
 
David Lozzi
Guest
Posts: n/a
 
      07-21-2005
So is using the session state not a good idea any more? I am so use to using
it as I have been for the past 5 years in all of my ASP/.Net apps. What are
the down sides to using session state? I am going to repost this quesiton
for a broader discussion. Thanks for your help!

David Lozzi


"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed).. .
> Hello David,
>
> you could stuff them in the cookie (see my SetAuthCookie method) - but
> keep in mind that a cookie is limited to 4KB)
>
> System.Web.Cache would be another option...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I said I can't seem to pull the other data, that is because I can't
>> seem to add it.
>>
>> "David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
>> news:%(E-Mail Removed)...
>>
>>> Thank you for your help! It helped a lot. I got my sample app here:
>>>
>>> users are redirected to login.aspx. After entering username and
>>> password, formsauthentication is taken care of and cookies and all
>>> that stuff. After this is happy, it then redirects the user to
>>> default.aspx, at which point I can pull the user's username
>>> (context.user.identity.name).
>>>
>>> I can't seem to figure out how to pull the remaining information
>>> about the user, security level, full name, email addy, etc. This is
>>> usually stored in a session state but I see no session info in this.
>>> I can think of one possible solution, and that would be to query the
>>> database everytime I needed this information. Is this a good idea? Is
>>> this better than a session state?
>>>
>>> Thanks!
>>>
>>> David Lozzi
>>>
>>> "Dominick Baier [DevelopMentor]"
>>> <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed).. .
>>>
>>>> Hello David,
>>>>
>>>> inline
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Howdy,
>>>>>
>>>>> I've written a few apps already and I have done custom
>>>>> authentication like so: prompt for user name and password, verify
>>>>> information against SQL table, then load returned username, ID,
>>>>> security, etc. into session state. This works and frankly I'm not
>>>>> sure why i'm posting this except for that I want to be 'correct' in
>>>>> my apps.
>>>>>
>>>>> I notice .Net supports Authentication Modes. Which is the better
>>>>> one to use? I have a basic understanding of each provider and it
>>>>> appears that the Forms Authentication Provider is the preferred
>>>>> method? Using Forms, how do I specify the database table in SQL to
>>>>> use? Also, once validated, it loads the user information into a
>>>>> cookie for later retrieval. Can I load more information into this
>>>>> cookie, like custom security levels, etc. Currently, I basically
>>>>> have a range from 1 through 10 specifying security levels, will
>>>>> this still work or does Forms process security itself?
>>>>>
>>>> You do that manually - you have to provide a login page - and handle
>>>> the login button click event - then you go to a datastore and
>>>> validate credentials. The authentication cookie contains a
>>>> 'UserData' field where you can store arbitrary additional
>>>> information, e.g. Roles or what you call Security Levels. Upon each
>>>> request then you create a IPrincipial implementation and attach it
>>>> to the current thread.
>>>>
>>>>> Same questions with Windows Auth. I've used Windows Auth in some
>>>>> legacy ASP apps and was able to determin security levels by a users
>>>>> membership to domain groups. Does this provider work the same? How
>>>>> do I read the security information?
>>>>>
>>>> Regardless of what AuthType you use - the IPrincipal which is
>>>> accessible through Page.User or Context.User contains a IsInRole("")
>>>> method to query role membership
>>>>
>>>> i have a full working example of FormsAuth on my blog - this should
>>>> get you started..feel free to ask more questions after you looked at
>>>> the code.
>>>> http://www.leastprivilege.com/PermaL...1388-71d1-4a6f
>>>> -98d0-bc8cfbec4c3a
>>>>
>>>>> Eh, PassPort is cool but I not necessary for me so I don't care
>>>>> enough to ask.
>>>>>
>>>>> I've been reading through MSDN articles pertaining to these but my
>>>>> questions can't seem to get answered with MS Docs. Any help and
>>>>> clarity is greatly appreciated!
>>>>>
>>>>> Thanks!
>>>>>
>>>>> David Lozzi
>>>>>

>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Membership or Role Provider // Provider Model // Factories .. How does MS do it? sloan ASP .Net 1 07-03-2007 08:17 PM
Deploying 2.0 app on a Service Provider .. Membership Provider sloan ASP .Net 5 06-03-2006 11:20 PM
Voip provider advice please ? Who is the best service provider ? www.crystal-power.co.uk UK VOIP 4 09-28-2005 06:57 PM
Informix .net provider - Sql server .net provider BS ASP .Net 3 06-17-2004 01:11 AM
Transferring From Old e-mail Provider Account To A New One (different provider): Any Way To ? Robert11 Computer Support 0 06-26-2003 04:38 PM



Advertisments